//+-------------------------------------------------------------------------
//  Microsoft Windows
//
//  Copyright (C) Microsoft Corporation, 2001 - 2001
//
//  File:       vercert.cpp
//
//  Contents:   Minimal Cryptographic functions to verify ASN.1 encoded
//              X.509 certificates
//
//
//  Functions:  MinCryptVerifyCertificate
//
//  History:    17-Jan-01    philh   created
//--------------------------------------------------------------------------

#include "global.hxx"

#define MAX_CHAIN_DEPTH             10

//+=========================================================================
//  Microsoft Roots
//-=========================================================================

// Name:: <CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US>
const BYTE rgbMicrosoftRoot0_Name[] = {
    0x30, 0x50, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
    0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
    0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x0A,
    0x13, 0x04, 0x4D, 0x53, 0x46, 0x54, 0x31, 0x32,
    0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
    0x29, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F,
    0x66, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68, 0x65,
    0x6E, 0x74, 0x69, 0x63, 0x6F, 0x64, 0x65, 0x28,
    0x74, 0x6D, 0x29, 0x20, 0x52, 0x6F, 0x6F, 0x74,
    0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69,
    0x74, 0x79
};
const BYTE rgbMicrosoftRoot0_PubKeyInfo[]= {
    0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09,
    0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
    0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00,
    0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01,
    0x00, 0xDF, 0x08, 0xBA, 0xE3, 0x3F, 0x6E, 0x64,
    0x9B, 0xF5, 0x89, 0xAF, 0x28, 0x96, 0x4A, 0x07,
    0x8F, 0x1B, 0x2E, 0x8B, 0x3E, 0x1D, 0xFC, 0xB8,
    0x80, 0x69, 0xA3, 0xA1, 0xCE, 0xDB, 0xDF, 0xB0,
    0x8E, 0x6C, 0x89, 0x76, 0x29, 0x4F, 0xCA, 0x60,
    0x35, 0x39, 0xAD, 0x72, 0x32, 0xE0, 0x0B, 0xAE,
    0x29, 0x3D, 0x4C, 0x16, 0xD9, 0x4B, 0x3C, 0x9D,
    0xDA, 0xC5, 0xD3, 0xD1, 0x09, 0xC9, 0x2C, 0x6F,
    0xA6, 0xC2, 0x60, 0x53, 0x45, 0xDD, 0x4B, 0xD1,
    0x55, 0xCD, 0x03, 0x1C, 0xD2, 0x59, 0x56, 0x24,
    0xF3, 0xE5, 0x78, 0xD8, 0x07, 0xCC, 0xD8, 0xB3,
    0x1F, 0x90, 0x3F, 0xC0, 0x1A, 0x71, 0x50, 0x1D,
    0x2D, 0xA7, 0x12, 0x08, 0x6D, 0x7C, 0xB0, 0x86,
    0x6C, 0xC7, 0xBA, 0x85, 0x32, 0x07, 0xE1, 0x61,
    0x6F, 0xAF, 0x03, 0xC5, 0x6D, 0xE5, 0xD6, 0xA1,
    0x8F, 0x36, 0xF6, 0xC1, 0x0B, 0xD1, 0x3E, 0x69,
    0x97, 0x48, 0x72, 0xC9, 0x7F, 0xA4, 0xC8, 0xC2,
    0x4A, 0x4C, 0x7E, 0xA1, 0xD1, 0x94, 0xA6, 0xD7,
    0xDC, 0xEB, 0x05, 0x46, 0x2E, 0xB8, 0x18, 0xB4,
    0x57, 0x1D, 0x86, 0x49, 0xDB, 0x69, 0x4A, 0x2C,
    0x21, 0xF5, 0x5E, 0x0F, 0x54, 0x2D, 0x5A, 0x43,
    0xA9, 0x7A, 0x7E, 0x6A, 0x8E, 0x50, 0x4D, 0x25,
    0x57, 0xA1, 0xBF, 0x1B, 0x15, 0x05, 0x43, 0x7B,
    0x2C, 0x05, 0x8D, 0xBD, 0x3D, 0x03, 0x8C, 0x93,
    0x22, 0x7D, 0x63, 0xEA, 0x0A, 0x57, 0x05, 0x06,
    0x0A, 0xDB, 0x61, 0x98, 0x65, 0x2D, 0x47, 0x49,
    0xA8, 0xE7, 0xE6, 0x56, 0x75, 0x5C, 0xB8, 0x64,
    0x08, 0x63, 0xA9, 0x30, 0x40, 0x66, 0xB2, 0xF9,
    0xB6, 0xE3, 0x34, 0xE8, 0x67, 0x30, 0xE1, 0x43,
    0x0B, 0x87, 0xFF, 0xC9, 0xBE, 0x72, 0x10, 0x5E,
    0x23, 0xF0, 0x9B, 0xA7, 0x48, 0x65, 0xBF, 0x09,
    0x88, 0x7B, 0xCD, 0x72, 0xBC, 0x2E, 0x79, 0x9B,
    0x7B, 0x02, 0x03, 0x01, 0x00, 0x01
};


// Name:: <CN=Microsoft Root Authority, OU=Microsoft Corporation,
//         OU=Copyright (c) 1997 Microsoft Corp.>
const BYTE rgbMicrosoftRoot1_Name[]= {
    0x30, 0x70, 0x31, 0x2B, 0x30, 0x29, 0x06, 0x03,
    0x55, 0x04, 0x0B, 0x13, 0x22, 0x43, 0x6F, 0x70,
    0x79, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x28,
    0x63, 0x29, 0x20, 0x31, 0x39, 0x39, 0x37, 0x20,
    0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66,
    0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x2E, 0x31,
    0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0B,
    0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73,
    0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70,
    0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31,
    0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04, 0x03,
    0x13, 0x18, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73,
    0x6F, 0x66, 0x74, 0x20, 0x52, 0x6F, 0x6F, 0x74,
    0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69,
    0x74, 0x79
};

const BYTE rgbMicrosoftRoot1_PubKeyInfo[]= {
    0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09,
    0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
    0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00,
    0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01,
    0x00, 0xA9, 0x02, 0xBD, 0xC1, 0x70, 0xE6, 0x3B,
    0xF2, 0x4E, 0x1B, 0x28, 0x9F, 0x97, 0x78, 0x5E,
    0x30, 0xEA, 0xA2, 0xA9, 0x8D, 0x25, 0x5F, 0xF8,
    0xFE, 0x95, 0x4C, 0xA3, 0xB7, 0xFE, 0x9D, 0xA2,
    0x20, 0x3E, 0x7C, 0x51, 0xA2, 0x9B, 0xA2, 0x8F,
    0x60, 0x32, 0x6B, 0xD1, 0x42, 0x64, 0x79, 0xEE,
    0xAC, 0x76, 0xC9, 0x54, 0xDA, 0xF2, 0xEB, 0x9C,
    0x86, 0x1C, 0x8F, 0x9F, 0x84, 0x66, 0xB3, 0xC5,
    0x6B, 0x7A, 0x62, 0x23, 0xD6, 0x1D, 0x3C, 0xDE,
    0x0F, 0x01, 0x92, 0xE8, 0x96, 0xC4, 0xBF, 0x2D,
    0x66, 0x9A, 0x9A, 0x68, 0x26, 0x99, 0xD0, 0x3A,
    0x2C, 0xBF, 0x0C, 0xB5, 0x58, 0x26, 0xC1, 0x46,
    0xE7, 0x0A, 0x3E, 0x38, 0x96, 0x2C, 0xA9, 0x28,
    0x39, 0xA8, 0xEC, 0x49, 0x83, 0x42, 0xE3, 0x84,
    0x0F, 0xBB, 0x9A, 0x6C, 0x55, 0x61, 0xAC, 0x82,
    0x7C, 0xA1, 0x60, 0x2D, 0x77, 0x4C, 0xE9, 0x99,
    0xB4, 0x64, 0x3B, 0x9A, 0x50, 0x1C, 0x31, 0x08,
    0x24, 0x14, 0x9F, 0xA9, 0xE7, 0x91, 0x2B, 0x18,
    0xE6, 0x3D, 0x98, 0x63, 0x14, 0x60, 0x58, 0x05,
    0x65, 0x9F, 0x1D, 0x37, 0x52, 0x87, 0xF7, 0xA7,
    0xEF, 0x94, 0x02, 0xC6, 0x1B, 0xD3, 0xBF, 0x55,
    0x45, 0xB3, 0x89, 0x80, 0xBF, 0x3A, 0xEC, 0x54,
    0x94, 0x4E, 0xAE, 0xFD, 0xA7, 0x7A, 0x6D, 0x74,
    0x4E, 0xAF, 0x18, 0xCC, 0x96, 0x09, 0x28, 0x21,
    0x00, 0x57, 0x90, 0x60, 0x69, 0x37, 0xBB, 0x4B,
    0x12, 0x07, 0x3C, 0x56, 0xFF, 0x5B, 0xFB, 0xA4,
    0x66, 0x0A, 0x08, 0xA6, 0xD2, 0x81, 0x56, 0x57,
    0xEF, 0xB6, 0x3B, 0x5E, 0x16, 0x81, 0x77, 0x04,
    0xDA, 0xF6, 0xBE, 0xAE, 0x80, 0x95, 0xFE, 0xB0,
    0xCD, 0x7F, 0xD6, 0xA7, 0x1A, 0x72, 0x5C, 0x3C,
    0xCA, 0xBC, 0xF0, 0x08, 0xA3, 0x22, 0x30, 0xB3,
    0x06, 0x85, 0xC9, 0xB3, 0x20, 0x77, 0x13, 0x85,
    0xDF, 0x02, 0x03, 0x01, 0x00, 0x01
};


// 4096 bit key generated in 2001
//
// Name:: <CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com>
const BYTE rgbMicrosoftRoot2_Name[]= {
    0x30, 0x5F, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0A,
    0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64,
    0x01, 0x19, 0x16, 0x03, 0x63, 0x6F, 0x6D, 0x31,
    0x19, 0x30, 0x17, 0x06, 0x0A, 0x09, 0x92, 0x26,
    0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19, 0x16,
    0x09, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F,
    0x66, 0x74, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03,
    0x55, 0x04, 0x03, 0x13, 0x24, 0x4D, 0x69, 0x63,
    0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x52,
    0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74,
    0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20,
    0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74,
    0x79
};
const BYTE rgbMicrosoftRoot2_PubKeyInfo[]= {
    0x30, 0x82, 0x02, 0x22, 0x30, 0x0D, 0x06, 0x09,
    0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
    0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0F, 0x00,
    0x30, 0x82, 0x02, 0x0A, 0x02, 0x82, 0x02, 0x01,
    0x00, 0xF3, 0x5D, 0xFA, 0x80, 0x67, 0xD4, 0x5A,
    0xA7, 0xA9, 0x0C, 0x2C, 0x90, 0x20, 0xD0, 0x35,
    0x08, 0x3C, 0x75, 0x84, 0xCD, 0xB7, 0x07, 0x89,
    0x9C, 0x89, 0xDA, 0xDE, 0xCE, 0xC3, 0x60, 0xFA,
    0x91, 0x68, 0x5A, 0x9E, 0x94, 0x71, 0x29, 0x18,
    0x76, 0x7C, 0xC2, 0xE0, 0xC8, 0x25, 0x76, 0x94,
    0x0E, 0x58, 0xFA, 0x04, 0x34, 0x36, 0xE6, 0xDF,
    0xAF, 0xF7, 0x80, 0xBA, 0xE9, 0x58, 0x0B, 0x2B,
    0x93, 0xE5, 0x9D, 0x05, 0xE3, 0x77, 0x22, 0x91,
    0xF7, 0x34, 0x64, 0x3C, 0x22, 0x91, 0x1D, 0x5E,
    0xE1, 0x09, 0x90, 0xBC, 0x14, 0xFE, 0xFC, 0x75,
    0x58, 0x19, 0xE1, 0x79, 0xB7, 0x07, 0x92, 0xA3,
    0xAE, 0x88, 0x59, 0x08, 0xD8, 0x9F, 0x07, 0xCA,
    0x03, 0x58, 0xFC, 0x68, 0x29, 0x6D, 0x32, 0xD7,
    0xD2, 0xA8, 0xCB, 0x4B, 0xFC, 0xE1, 0x0B, 0x48,
    0x32, 0x4F, 0xE6, 0xEB, 0xB8, 0xAD, 0x4F, 0xE4,
    0x5C, 0x6F, 0x13, 0x94, 0x99, 0xDB, 0x95, 0xD5,
    0x75, 0xDB, 0xA8, 0x1A, 0xB7, 0x94, 0x91, 0xB4,
    0x77, 0x5B, 0xF5, 0x48, 0x0C, 0x8F, 0x6A, 0x79,
    0x7D, 0x14, 0x70, 0x04, 0x7D, 0x6D, 0xAF, 0x90,
    0xF5, 0xDA, 0x70, 0xD8, 0x47, 0xB7, 0xBF, 0x9B,
    0x2F, 0x6C, 0xE7, 0x05, 0xB7, 0xE1, 0x11, 0x60,
    0xAC, 0x79, 0x91, 0x14, 0x7C, 0xC5, 0xD6, 0xA6,
    0xE4, 0xE1, 0x7E, 0xD5, 0xC3, 0x7E, 0xE5, 0x92,
    0xD2, 0x3C, 0x00, 0xB5, 0x36, 0x82, 0xDE, 0x79,
    0xE1, 0x6D, 0xF3, 0xB5, 0x6E, 0xF8, 0x9F, 0x33,
    0xC9, 0xCB, 0x52, 0x7D, 0x73, 0x98, 0x36, 0xDB,
    0x8B, 0xA1, 0x6B, 0xA2, 0x95, 0x97, 0x9B, 0xA3,
    0xDE, 0xC2, 0x4D, 0x26, 0xFF, 0x06, 0x96, 0x67,
    0x25, 0x06, 0xC8, 0xE7, 0xAC, 0xE4, 0xEE, 0x12,
    0x33, 0x95, 0x31, 0x99, 0xC8, 0x35, 0x08, 0x4E,
    0x34, 0xCA, 0x79, 0x53, 0xD5, 0xB5, 0xBE, 0x63,
    0x32, 0x59, 0x40, 0x36, 0xC0, 0xA5, 0x4E, 0x04,
    0x4D, 0x3D, 0xDB, 0x5B, 0x07, 0x33, 0xE4, 0x58,
    0xBF, 0xEF, 0x3F, 0x53, 0x64, 0xD8, 0x42, 0x59,
    0x35, 0x57, 0xFD, 0x0F, 0x45, 0x7C, 0x24, 0x04,
    0x4D, 0x9E, 0xD6, 0x38, 0x74, 0x11, 0x97, 0x22,
    0x90, 0xCE, 0x68, 0x44, 0x74, 0x92, 0x6F, 0xD5,
    0x4B, 0x6F, 0xB0, 0x86, 0xE3, 0xC7, 0x36, 0x42,
    0xA0, 0xD0, 0xFC, 0xC1, 0xC0, 0x5A, 0xF9, 0xA3,
    0x61, 0xB9, 0x30, 0x47, 0x71, 0x96, 0x0A, 0x16,
    0xB0, 0x91, 0xC0, 0x42, 0x95, 0xEF, 0x10, 0x7F,
    0x28, 0x6A, 0xE3, 0x2A, 0x1F, 0xB1, 0xE4, 0xCD,
    0x03, 0x3F, 0x77, 0x71, 0x04, 0xC7, 0x20, 0xFC,
    0x49, 0x0F, 0x1D, 0x45, 0x88, 0xA4, 0xD7, 0xCB,
    0x7E, 0x88, 0xAD, 0x8E, 0x2D, 0xEC, 0x45, 0xDB,
    0xC4, 0x51, 0x04, 0xC9, 0x2A, 0xFC, 0xEC, 0x86,
    0x9E, 0x9A, 0x11, 0x97, 0x5B, 0xDE, 0xCE, 0x53,
    0x88, 0xE6, 0xE2, 0xB7, 0xFD, 0xAC, 0x95, 0xC2,
    0x28, 0x40, 0xDB, 0xEF, 0x04, 0x90, 0xDF, 0x81,
    0x33, 0x39, 0xD9, 0xB2, 0x45, 0xA5, 0x23, 0x87,
    0x06, 0xA5, 0x55, 0x89, 0x31, 0xBB, 0x06, 0x2D,
    0x60, 0x0E, 0x41, 0x18, 0x7D, 0x1F, 0x2E, 0xB5,
    0x97, 0xCB, 0x11, 0xEB, 0x15, 0xD5, 0x24, 0xA5,
    0x94, 0xEF, 0x15, 0x14, 0x89, 0xFD, 0x4B, 0x73,
    0xFA, 0x32, 0x5B, 0xFC, 0xD1, 0x33, 0x00, 0xF9,
    0x59, 0x62, 0x70, 0x07, 0x32, 0xEA, 0x2E, 0xAB,
    0x40, 0x2D, 0x7B, 0xCA, 0xDD, 0x21, 0x67, 0x1B,
    0x30, 0x99, 0x8F, 0x16, 0xAA, 0x23, 0xA8, 0x41,
    0xD1, 0xB0, 0x6E, 0x11, 0x9B, 0x36, 0xC4, 0xDE,
    0x40, 0x74, 0x9C, 0xE1, 0x58, 0x65, 0xC1, 0x60,
    0x1E, 0x7A, 0x5B, 0x38, 0xC8, 0x8F, 0xBB, 0x04,
    0x26, 0x7C, 0xD4, 0x16, 0x40, 0xE5, 0xB6, 0x6B,
    0x6C, 0xAA, 0x86, 0xFD, 0x00, 0xBF, 0xCE, 0xC1,
    0x35, 0x02, 0x03, 0x01, 0x00, 0x01
};



//+=========================================================================
//  Test Roots
//-=========================================================================

// Name:: <CN=Microsoft Test Root Authority, OU=Copyright (c) 1999 Microsoft Corp., OU=Microsoft Corporation>
const BYTE rgbTestRoot0_Name[] = {
    0x30, 0x75, 0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04,
    0x0B, 0x13, 0x22, 0x43, 0x6F, 0x70, 0x79, 0x72, 0x69, 0x67,
    0x68, 0x74, 0x20, 0x28, 0x63, 0x29, 0x20, 0x31, 0x39, 0x39,
    0x39, 0x20, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66,
    0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x2E, 0x31, 0x26, 0x30,
    0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1D, 0x4D, 0x69,
    0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x54, 0x65,
    0x73, 0x74, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x41, 0x75,
    0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x31, 0x1E, 0x30,
    0x1C, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x15, 0x4D, 0x69,
    0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F,
    0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E
};

const BYTE rgbTestRoot0_PubKeyInfo[]= {
    0x30, 0x81, 0xDF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
    0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81,
    0xCD, 0x00, 0x30, 0x81, 0xC9, 0x02, 0x81, 0xC1, 0x00, 0xA9,
    0x6B, 0xB7, 0xAE, 0x1E, 0x27, 0x36, 0xED, 0x90, 0xD5, 0x7B,
    0xE2, 0x59, 0xBB, 0x7F, 0x77, 0x23, 0x57, 0x16, 0x8F, 0x6E,
    0x5D, 0x93, 0x9F, 0x87, 0xAE, 0x89, 0x23, 0x4A, 0x7C, 0x9B,
    0xA8, 0xB2, 0x6F, 0x33, 0x62, 0x81, 0x5B, 0x64, 0xBC, 0x2D,
    0x8B, 0xC1, 0xB2, 0x19, 0x26, 0x76, 0x68, 0x6E, 0x82, 0x2A,
    0x18, 0x0D, 0x95, 0xFE, 0x00, 0x3E, 0xEB, 0x86, 0xB6, 0xE3,
    0x13, 0x5E, 0xB8, 0x63, 0x2A, 0x79, 0x0F, 0x97, 0x94, 0xF7,
    0x34, 0x87, 0xD1, 0x6A, 0xDE, 0x0A, 0xFB, 0x5D, 0x1B, 0xA8,
    0x31, 0xE1, 0x66, 0x5E, 0x7A, 0x07, 0x3C, 0x1E, 0x13, 0xBC,
    0xFE, 0x44, 0xCF, 0x22, 0x06, 0xC3, 0xA0, 0x8A, 0xA1, 0x76,
    0x46, 0xDB, 0x53, 0xBC, 0x7D, 0xD2, 0xFD, 0x4B, 0xE1, 0x0C,
    0x4F, 0x41, 0x33, 0x55, 0xA6, 0xCD, 0xD5, 0x60, 0xCD, 0xCE,
    0xA8, 0x5A, 0x00, 0xE7, 0xB7, 0x0A, 0xAE, 0x75, 0xD8, 0x8E,
    0xD4, 0x71, 0xCF, 0xE7, 0xEE, 0x4B, 0xC5, 0x89, 0x85, 0x0B,
    0x38, 0xB1, 0x4C, 0x6C, 0x4E, 0xBE, 0x63, 0xA6, 0x5D, 0x40,
    0x2E, 0x1C, 0xFF, 0x80, 0x9A, 0x10, 0xCE, 0x82, 0x41, 0x79,
    0x39, 0xAD, 0xAD, 0xE2, 0x97, 0xE1, 0xAE, 0x1B, 0x20, 0x47,
    0x3D, 0x1C, 0xBF, 0xCD, 0x25, 0xB1, 0x73, 0x49, 0x16, 0xEE,
    0xCD, 0xBB, 0xC9, 0x8F, 0xEC, 0x57, 0x6E, 0x24, 0xF8, 0xCF,
    0xE5, 0x02, 0x03, 0x01, 0x00, 0x01
};


typedef struct _ROOT_INFO {
    CRYPT_DER_BLOB  EncodedName;
    CRYPT_DER_BLOB  EncodedPubKeyInfo;
    BOOL fTestRoot;
} ROOT_INFO, *PROOT_INFO;

const ROOT_INFO RootTable[] = {
    sizeof(rgbMicrosoftRoot0_Name), (BYTE *) rgbMicrosoftRoot0_Name,
    sizeof(rgbMicrosoftRoot0_PubKeyInfo), (BYTE *) rgbMicrosoftRoot0_PubKeyInfo,
    FALSE,

    sizeof(rgbMicrosoftRoot1_Name), (BYTE *) rgbMicrosoftRoot1_Name,
    sizeof(rgbMicrosoftRoot1_PubKeyInfo), (BYTE *) rgbMicrosoftRoot1_PubKeyInfo,
    FALSE,

    sizeof(rgbMicrosoftRoot2_Name), (BYTE *) rgbMicrosoftRoot2_Name,
    sizeof(rgbMicrosoftRoot2_PubKeyInfo), (BYTE *) rgbMicrosoftRoot2_PubKeyInfo,
    FALSE,

    sizeof(rgbTestRoot0_Name), (BYTE *) rgbTestRoot0_Name,
    sizeof(rgbTestRoot0_PubKeyInfo), (BYTE *) rgbTestRoot0_PubKeyInfo,
    TRUE
};
#define ROOT_CNT (sizeof(RootTable) / sizeof(RootTable[0]))

#define wszSETUP_REG \
    L"System\\Setup"
#define wszSYSTEM_SETUP_REG_VALUE \
    L"SystemSetupInProgress"
#define wszTEST_ROOT_REG \
    L"SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\A4CAECFC40A44BB73E3BBF69477BC68D07B0C7AB"

// Check the CERT_STORE_PROV_SYSTEM_REGISTRY store for the Test Root.
//
// If the Test Root is found, return ERROR_SUCCESS.
// If the Test Root is not found but we're in NT GUI-mode setup,
// return ERROR_SUCCESS.  
// If the Test Root is not found and we're not in setup,
// return CERT_E_UNTRUSTEDROOT.
// For any other error, return the provided error code.
DWORD
WINAPI
I_CheckIsTestRootAllowed(void)
{
    DWORD dwReturn;
    HKEY hTestRootKey = 0;
    HKEY hSetupKey = 0;
    DWORD cb = 0;
    BOOL fSystemSetupInProgress = FALSE;

    dwReturn = RegOpenKeyExW(
        HKEY_LOCAL_MACHINE,
        wszTEST_ROOT_REG,
        0, KEY_READ, &hTestRootKey);

    if (ERROR_SUCCESS != dwReturn)
    {
        //
        // We've determined that the Test
        // Root isn't installed.  Check if we're in NT GUI-mode
        // setup right now.  
        //
        // If we're in setup, we need to allow the Test Root
        // (but *only* for an otherwise valid signature)
        // since we may have been called before 
        // setup has had a chance to install the Test Root.
        //

        dwReturn = RegOpenKeyExW(
            HKEY_LOCAL_MACHINE,
            wszSETUP_REG,
            0, KEY_READ, &hSetupKey);
    
        if (ERROR_SUCCESS != dwReturn)
            goto Ret;
    
        cb = sizeof(fSystemSetupInProgress);
        dwReturn = RegQueryValueExW(
            hSetupKey,
            wszSYSTEM_SETUP_REG_VALUE,
            NULL,
            NULL,
            (PBYTE) &fSystemSetupInProgress,
            &cb);
    
        if (ERROR_SUCCESS != dwReturn)
            goto Ret;
    
        if (FALSE == fSystemSetupInProgress)
            dwReturn = CERT_E_UNTRUSTEDROOT;
    }
    
Ret:
    if (hTestRootKey)
        RegCloseKey(hTestRootKey);
    if (hSetupKey)
        RegCloseKey(hSetupKey);

    return dwReturn;
}

// If found, returns ERROR_SUCCESS and sets *ppRootBlob to the PubKeyInfo blob. 
// Otherwise, returns appropriate error code and set *ppRootBlob to NULL.
DWORD
WINAPI
I_MinCryptFindRootByName(
    IN PCRYPT_DER_BLOB pIssuerNameValueBlob,
    OUT PCRYPT_DER_BLOB *ppRootBlob
    )
{
    DWORD i;
    DWORD dwStatus;
    BOOL fInGuiModeSetup = FALSE;

    *ppRootBlob = NULL;
    
    for (i = 0; i < ROOT_CNT; i++) {
        if (pIssuerNameValueBlob->cbData == RootTable[i].EncodedName.cbData &&
                0 == memcmp(pIssuerNameValueBlob->pbData,
                        RootTable[i].EncodedName.pbData,
                        pIssuerNameValueBlob->cbData))
        {
            if (RootTable[i].fTestRoot)
            {
                dwStatus = I_CheckIsTestRootAllowed();

                if (ERROR_SUCCESS != dwStatus)
                    return dwStatus;
            }
            
            *ppRootBlob  = (PCRYPT_DER_BLOB) &RootTable[i].EncodedPubKeyInfo;
            return ERROR_SUCCESS;
        }
    }

    return CERT_E_UNTRUSTEDROOT;
}

// If found, returns ERROR_SUCCESS and sets *ppRootBlob to the PubKeyInfo blob. 
// Otherwise, returns appropriate error code and set *ppRootBlob to NULL.
DWORD
WINAPI
I_MinCryptFindRootByKey(
    IN PCRYPT_DER_BLOB pSubjectPubKeyInfoBlob,
    OUT PCRYPT_DER_BLOB *ppRootBlob
    )
{
    DWORD i;
    DWORD dwStatus;

    *ppRootBlob = NULL;
    
    for (i = 0; i < ROOT_CNT; i++) {
        if (pSubjectPubKeyInfoBlob->cbData ==
                RootTable[i].EncodedPubKeyInfo.cbData
                                &&
                0 == memcmp(pSubjectPubKeyInfoBlob->pbData,
                        RootTable[i].EncodedPubKeyInfo.pbData,
                        pSubjectPubKeyInfoBlob->cbData))
        {
            if (RootTable[i].fTestRoot)
            {
                dwStatus = I_CheckIsTestRootAllowed();

                if (ERROR_SUCCESS != dwStatus)
                    return dwStatus;
            }
            
            *ppRootBlob  = (PCRYPT_DER_BLOB) &RootTable[i].EncodedPubKeyInfo;
            return ERROR_SUCCESS;
        }
    }

    return CERT_E_UNTRUSTEDROOT;
}



// If found, returns pointer to rgCertBlob[MINASN1_CERT_BLOB_CNT].
// Otherwise, returns NULL.
PCRYPT_DER_BLOB
WINAPI
I_MinCryptFindIssuerCertificateByName(
    IN PCRYPT_DER_BLOB pIssuerNameValueBlob,
    IN DWORD cCert,
    IN CRYPT_DER_BLOB rgrgCertBlob[][MINASN1_CERT_BLOB_CNT]
    )
{
    DWORD i;
    DWORD cbName = pIssuerNameValueBlob->cbData;
    const BYTE *pbName = pIssuerNameValueBlob->pbData;

    if (0 == cbName)
        return NULL;
    
    for (i = 0; i < cCert; i++) {
        if (cbName == rgrgCertBlob[i][MINASN1_CERT_SUBJECT_IDX].cbData &&
                0 == memcmp(pbName,
                        rgrgCertBlob[i][MINASN1_CERT_SUBJECT_IDX].pbData,
                        cbName))
            return rgrgCertBlob[i];
    }

    return NULL;
}


//+-------------------------------------------------------------------------
//  Verifies a previously parsed X.509 Certificate.
//
//  Assumes the ASN.1 encoded X.509 certificate was parsed via
//  MinAsn1ParseCertificate() and the set of potential issuer certificates
//  were parsed via one or more of:
//   - MinAsn1ParseCertificate()
//   - MinAsn1ParseSignedDataCertificates()
//   - MinAsn1ExtractParsedCertificatesFromSignedData()
//
//  Iteratively finds the issuer certificate via its encoded name. The
//  public key in the issuer certificate is used to verify the subject
//  certificate's signature. This is repeated until finding a self signed
//  certificate or a baked in root identified by its encoded name.
//  For a self signed certificate, compares against the baked in root
//  public keys.
//
//  If the certificate and its issuers were successfully verified to a
//  baked in root, ERROR_SUCCESS is returned.  Otherwise, a nonzero error
//  code is returned.
//--------------------------------------------------------------------------
LONG
WINAPI
MinCryptVerifyCertificate(
    IN CRYPT_DER_BLOB rgSubjectCertBlob[MINASN1_CERT_BLOB_CNT],
    IN DWORD cIssuerCert,
    IN CRYPT_DER_BLOB rgrgIssuerCertBlob[][MINASN1_CERT_BLOB_CNT]
    )
{
    LONG lErr;
    DWORD dwChainDepth = 0;
    PCRYPT_DER_BLOB rgSubject;
    BOOL fRoot = FALSE;

    rgSubject = rgSubjectCertBlob;
    while (!fRoot) {
        ALG_ID HashAlgId;
        BYTE rgbHash[MINCRYPT_MAX_HASH_LEN];
        DWORD cbHash;

        PCRYPT_DER_BLOB rgIssuer = NULL;
        PCRYPT_DER_BLOB pIssuerPubKeyInfo = NULL;

        // Hash the Subject's ToBeSigned bytes
        HashAlgId = MinCryptDecodeHashAlgorithmIdentifier(
            &rgSubject[MINASN1_CERT_SIGN_ALGID_IDX]);
        if (0 == HashAlgId)
            goto UnknownHashAlgId;
        lErr = MinCryptHashMemory(
            HashAlgId,
            1,                  // cBlob,
            &rgSubject[MINASN1_CERT_TO_BE_SIGNED_IDX],
            rgbHash,
            &cbHash
            );
        if (ERROR_SUCCESS != lErr)
            goto ErrorReturn;

        // Get the public key to decrypt the signature

        // Check if SelfSigned
        if (rgSubject[MINASN1_CERT_ISSUER_IDX].cbData ==
                rgSubject[MINASN1_CERT_SUBJECT_IDX].cbData
                                &&
                0 == memcmp(rgSubject[MINASN1_CERT_ISSUER_IDX].pbData,
                        rgSubject[MINASN1_CERT_SUBJECT_IDX].pbData,
                        rgSubject[MINASN1_CERT_ISSUER_IDX].cbData)) {
            lErr = I_MinCryptFindRootByKey(
                &rgSubject[MINASN1_CERT_PUBKEY_INFO_IDX],
                &pIssuerPubKeyInfo);
            if (NULL == pIssuerPubKeyInfo)
                goto ErrorReturn;
            fRoot = TRUE;
        } else {
            // Check if the issuer is a root
            lErr = I_MinCryptFindRootByName(
                &rgSubject[MINASN1_CERT_ISSUER_IDX],
                &pIssuerPubKeyInfo);
            if (pIssuerPubKeyInfo)
                fRoot = TRUE;
            else {
                // If some other error code is set, then some
                // sort of unexpected system error occurred
                // and we should bail.
                if (CERT_E_UNTRUSTEDROOT != lErr)
                    goto ErrorReturn;
                
                // Try to find the issuer from the input set of
                // certificates
                rgIssuer = I_MinCryptFindIssuerCertificateByName(
                    &rgSubject[MINASN1_CERT_ISSUER_IDX],
                    cIssuerCert,
                    rgrgIssuerCertBlob
                    );
                if (NULL == rgIssuer)
                    goto PartialChain;

                pIssuerPubKeyInfo = &rgIssuer[MINASN1_CERT_PUBKEY_INFO_IDX];
            }
        }

        // Use the issuer or root's public key to decrypt and verify
        // the signature.
        lErr = MinCryptVerifySignedHash(
            HashAlgId,
            rgbHash,
            cbHash,
            &rgSubject[MINASN1_CERT_SIGNATURE_IDX],
            pIssuerPubKeyInfo
            );
        if (ERROR_SUCCESS != lErr)
            goto ErrorReturn;

        if (!fRoot) {
            assert(rgIssuer);
            dwChainDepth++;
            if (MAX_CHAIN_DEPTH < dwChainDepth)
                goto CyclicChain;
            rgSubject = rgIssuer;
        }
    }


    lErr = ERROR_SUCCESS;

ErrorReturn:
CommonReturn:
    return lErr;

UnknownHashAlgId:
    lErr = CRYPT_E_UNKNOWN_ALGO;
    goto CommonReturn;
CyclicChain:
PartialChain:
    lErr = CERT_E_CHAINING;
    goto CommonReturn;
}
